string Connection::toString()
{
ostringstream oss;
oss << "connection: " << endl;
if (srcIP) oss << "srcIP: " << IPToString(srcIP) << endl;
if (dstIP) oss << "dstIP: " << IPToString(dstIP) << endl;
if (srcPort) oss << "srcPort: " << srcPort << endl;
if (dstPort) oss << "dstPort: " << dstPort << endl;
if (srcTimeStart) oss << "srcTimeStart: " << srcTimeStart << endl;
if (srcTimeEnd) oss << "srcTimeEnd: " << srcTimeEnd << endl;
if (dstTimeStart) oss << "dstTimeStart: " << dstTimeStart << endl;
if (dstTimeEnd) oss << "dstTimeEnd: " << dstTimeEnd << endl;
oss << "srcOctets: " << htonll(srcOctets) << ", dstOctets: " << htonll(dstOctets) << endl;
oss << "srcPackets: " << htonll(srcPackets) << ", dstPackets: " << htonll(dstPackets) << endl;
if (srcTcpControlBits || dstTcpControlBits) oss << "srcTcpControlBits: " << printTcpControlBits(srcTcpControlBits)
<< ", dstTcpControlBits: " << printTcpControlBits(dstTcpControlBits) << endl;
if (protocol) oss << "protocol: " << static_cast<uint32_t>(protocol) << endl;
oss << "srcPayloadLen: " << srcPayloadLen << endl;
oss << "dstPayloadLen: " << dstPayloadLen << endl;
if (srcPayloadLen>0) {
oss << "srcPayload: " << payloadToPlain(srcPayload, srcPayloadLen) << endl;
oss << "srcPayload: " << payloadToHex(srcPayload, srcPayloadLen) << endl;
}
oss << "dstPayloadLen: " << dstPayloadLen << endl;
if (dstPayloadLen>0) {
oss << "dstPayload: " << payloadToPlain(dstPayload, dstPayloadLen) << endl;
oss << "dstPayload: " << payloadToHex(dstPayload, dstPayloadLen) << endl;
}
return oss.str();
}
/**
* prints tab-seperated data from flows, these may be specified in configuration (TODO!)
*/
void IpfixPrinter::printTableRecord(IpfixDataRecord* record)
{
Connection c(record);
//fprintf(fh, "%llu\t%llu\t%u\t%u\t%llu\n", ntohll(c.srcOctets), ntohll(c.srcPackets), c.srcPayloadLen, c.srcPayloadPktCount, c.srcTimeEnd-c.srcTimeStart);
fprintf(fh, "%s\t%s\t%hu\t%hu\t%hhu\t%llu\t%llu\t%llu\t%llu\t%llu\t%llu\t%llu\t%llu\t%hhu\t%hhu\n",
IPToString(c.srcIP).c_str(), IPToString(c.dstIP).c_str(), ntohs(c.srcPort), ntohs(c.dstPort), c.protocol,
ntohll(c.srcPackets), ntohll(c.dstPackets), ntohll(c.srcOctets), ntohll(c.dstOctets),
c.srcTimeStart, c.srcTimeEnd, c.dstTimeStart, c.dstTimeEnd, c.srcTcpControlBits, c.dstTcpControlBits);
}
/**
* prints tab-seperated data from flows, these may be specified in configuration (TODO!)
*/
void IpfixPrinter::printTableRecord(IpfixDataRecord* record)
{
Connection c(record);
//fprintf(fh, "%llu\t%llu\t%u\t%u\t%llu\n", ntohll(c.srcOctets), ntohll(c.srcPackets), c.srcPayloadLen, c.srcPayloadPktCount, c.srcTimeEnd-c.srcTimeStart);
fprintf(fh, "%s\t%s\t%hu\t%hu\t%hhu\t%llu\t%llu\t%llu\t%llu\t%llu\t%llu\t%llu\t%llu\t%u\t%u\t%hhu\t%hhu\t%u\t%llu\t%llu\n",
IPToString(c.srcIP).c_str(), IPToString(c.dstIP).c_str(), ntohs(c.srcPort), ntohs(c.dstPort), c.protocol,
(long long unsigned)ntohll(c.srcPackets), (long long unsigned)ntohll(c.dstPackets), (long long unsigned)ntohll(c.srcOctets), (long long unsigned)ntohll(c.dstOctets),
(long long unsigned)c.srcTimeStart, (long long unsigned)c.srcTimeEnd, (long long unsigned)c.dstTimeStart, (long long unsigned)c.dstTimeEnd,
c.srcPayloadLen, c.dstPayloadLen, c.dpaForcedExport, c.dpaReverseStart, c.dpaFlowCount, (long long unsigned)c.srcTransOctets, (long long unsigned)c.dstTransOctets);
}
void HostStatistics::onDataDataRecord(IpfixDataDataRecord* record)
{
Connection conn(record);
std::map<uint32_t, uint64_t>::iterator it;
FILE* logFile = fopen("host_stats.log", "a");
if ((addrFilter == "src") && ((conn.srcIP&netAddr) == netAddr)) {
it = trafficMap.find(conn.srcIP);
if (it == trafficMap.end()) {
trafficMap.insert(pair<uint32_t, uint64_t>(conn.srcIP, ntohl(conn.srcOctets)));
} else {
it->second += ntohl(conn.srcOctets);
}
} else if ((addrFilter == "dst") && ((conn.dstIP&netAddr) == netAddr)) {
it = trafficMap.find(conn.dstIP);
if (it == trafficMap.end()) {
trafficMap.insert(pair<uint32_t, uint64_t>(conn.dstIP, ntohl(conn.dstOctets)));
} else {
it->second += ntohl(conn.dstOctets);
}
} else {
if ((conn.srcIP&netAddr) == netAddr) {
fprintf(logFile, "Treffer - src\t");
it = trafficMap.find(conn.srcIP);
if (it == trafficMap.end()) {
fprintf(logFile, "- %s\n", IPToString(conn.srcIP).c_str());
trafficMap.insert(pair<uint32_t, uint64_t>(conn.srcIP, (ntohl(conn.srcOctets) + ntohl(conn.dstOctets))));
} else {
fprintf(logFile, "\n");
it->second += (ntohl(conn.srcOctets) + ntohl(conn.dstOctets));
}
} else if ((conn.dstIP&netAddr) == netAddr) {
fprintf(logFile, "Treffer - dst\t");
it = trafficMap.find(conn.dstIP);
if (it == trafficMap.end()) {
fprintf(logFile, "- %s\n", IPToString(conn.dstIP).c_str());
trafficMap.insert(pair<uint32_t, uint64_t>(conn.dstIP, (ntohl(conn.srcOctets) + ntohl(conn.dstOctets))));
} else {
fprintf(logFile, "\n");
it->second += (ntohl(conn.srcOctets) + ntohl(conn.dstOctets));
}
}
}
fclose(logFile);
}
/**
*
* @param fd 传入的是sockfd.
* @return 构造函数
*/
Accept::Accept(int fd) {
sockfd=fd;
socklen_t cliaddrlen;
connfd=::accept(sockfd,(struct sockaddr*)&cliaddr,&cliaddrlen);
std::cout << "tid: "<<gettid()<<"IP"<<IPToString(cliaddr.sin_addr.s_addr)<<"port: "<<cliaddr.sin_port<<std::endl;
if(connfd < 0){
std::cout << "accept errno(ps:错误日志)"<<std::endl;
}
}
void HostStatistics::onReconfiguration1()
{
std::map<uint32_t, uint64_t>::iterator it;
FILE* logFile = fopen(logPath.c_str(), "w");
// insert current timestamp
fprintf(logFile, "%d", (int)time(NULL));
// for each element in ipList, write an entry like: IP:Bytesum
for (it = trafficMap.begin(); it != trafficMap.end(); it++) {
fprintf(logFile, " %s:%u", IPToString(it->first).c_str(), (uint32_t)it->second);
}
fclose(logFile);
}
HostStatistics::HostStatistics(std::string ipSubnet, std::string addrFilter, std::string logPath, uint16_t logInt)
: ipSubnet(ipSubnet), addrFilter(addrFilter), logPath(logPath), logInt(logInt)
{
// check if srcIP or dstIP in the subnet (1.1.1.1/16)
// split string at the '/'
size_t found = ipSubnet.find_first_of("/");
std::string ip_str = ipSubnet.substr(0, found);
netSize = atoi(ipSubnet.substr(found + 1).c_str());
netAddr = *(uint32_t *)gethostbyname(ip_str.c_str())->h_addr;
logTimer = time(NULL);
// DEBUG
FILE* logFile = fopen("host_stats.log", "a");
fprintf(logFile, "netAddr: %u\t", netAddr);
fprintf(logFile, " - %s\n", IPToString(netAddr).c_str());
fclose(logFile);
}
void TfdAnomalyDetector::printEntry()
{
ofstream logfile;
logfile.open("anomDetectAlert", ios::out | ios::app );
if (logfile.is_open()) {
logfile << "NET" << "\t";
logfile << IPToString(subnet).c_str() << "\t";
logfile << lastFlowStartMilliSec << "\t";
logfile << lastFlowStartSec << "\t"; // last value used in calculation
logfile << 0 << "\t";
logfile << 0 << "\t";
logfile << endl;
logfile.close();
} else {
cout << "Unable to open file";
}
}
std::string toString() const {
ostringstream oss;
if(exporterAddress.len == 4) {
oss << IPToString(*(uint32_t*)(&exporterAddress)).c_str();
} else {
oss << "non-IPv4 address";
}
oss << ":" << exporterPort;
switch(protocol) {
case 17:
oss << " (UDP)";
break;
case 132:
oss << " (SCTP)";
break;
default:
oss << " (" << protocol <<")";
}
oss << " ODID=" << observationDomainId;
return oss.str();
}
void PrintHelpers::printIPv4(uint32_t data) {
fprintf(fh, "%s", IPToString(data).c_str());
}
/**
* Check if connection is an anomaly
*/
void TfdAnomalyDetector::checkConnection(Connection* conn)
{
uint32_t flowStartSec = 0; // starttime of flow (seconds)
uint64_t flowStartMillisec = 0; // starttime of flow (milliseconds)
uint32_t host = 0; // host in local network (srcIP or dstIP)
string hostString; // host displayed as string
bool isSrc = false;
float numFlowPackets; // number of packets for current flow
uint32_t srcIP;
uint32_t dstIP;
uint16_t srcPort;
uint16_t dstPort;
int odPair = 0;
map<int, PortList>::iterator hostIt;
// check if src or dst of current flow is local host
if ((conn->srcIP & subnetmask) == subnet) {
host = conn->srcIP;
isSrc = true;
} else if ((conn->dstIP & subnetmask) == subnet) {
host = conn->dstIP;
isSrc = false;
} else {
return;
}
// get number of packets for current flow
numFlowPackets = ntohll(conn->srcPackets);
// calc starttime for current flow
flowStartMillisec = conn->srcTimeStart;
flowStartSec = (flowStartMillisec + 500) / 1000; // srcTimeStart -rounded- to seconds
// get appropriate timebin for array
if (((flowStartSec - lastFlowStartSec) >= binSize) && lastFlowStartSec != 0) { // todo: variable interval lengths (currently 1 sec) -> binSize
timeBin++; // next timebin
if (timeBin >= TIMEBINS) {
calculateEntropy();
normalizeMatrix(srcIpEntropy, TIMEBINS);
normalizeMatrix(dstIpEntropy, TIMEBINS);
normalizeMatrix(srcPortEntropy, TIMEBINS);
normalizeMatrix(dstPortEntropy, TIMEBINS);
calculateSingleWayMatrix();
calculateExpectationMaximation();
// restart calculation
initTempArrays(); // init and delete IP/Port arrays
timeBin = 0; // set counter back
}
lastFlowStartSec = flowStartSec;
lastFlowStartMilliSec = flowStartMillisec;
}
// get OD-value for array
hostString = IPToString(host);
int pos;
for (int i = 0; i < 3; i++) { // cut host into substrings, only use last part as index for array
pos = hostString.find(".");
hostString = hostString.substr(pos+1);
}
odPair = atoi(hostString.c_str()); // convert host-substring to int
// save flowStart to calculate next timebin
lastFlowStartSec = flowStartSec;
// **** save number of packets to IP-Arrays
if (isSrc) {
srcIpPackets[timeBin][odPair] += numFlowPackets;
} else {
dstIpPackets[timeBin][odPair] += numFlowPackets;
}
// **** source port
srcPort = ntohs(conn->srcPort);
hostIt = srcPortMap.find(odPair);
if(hostIt != srcPortMap.end()) {
// host found in Map -> add port to vector
PortListIterator portIt = find((hostIt->second).begin(), (hostIt->second).end(), srcPort);
if (portIt != (hostIt->second).end()) {
} else {
(hostIt->second).push_back(srcPort);
srcPortNum[timeBin][odPair] += 1;
}
} else {
// host not yet in Map -> add it
// create new port list
PortList srcPortList(srcPort);
srcPortMap.insert ( pair<int, PortList>(odPair, srcPortList) );
srcPortNum[timeBin][odPair] = 1;
}
// **** destination port
dstPort = ntohs(conn->dstPort);
hostIt = dstPortMap.find(odPair);
if(hostIt != dstPortMap.end()) {
// host found in Map -> add port to vector
PortListIterator portIt = find((hostIt->second).begin(), (hostIt->second).end(), dstPort);
if (portIt != (hostIt->second).end()) {
} else {
(hostIt->second).push_back(dstPort);
dstPortNum[timeBin][odPair] += 1;
}
} else {
// host not yet in Map -> add it
// create new port list
PortList dstPortList(dstPort);
dstPortMap.insert ( pair<int, PortList>(odPair, dstPortList) );
dstPortNum[timeBin][odPair] = 1;
}
}
void TRWPortscanDetector::addConnection(Connection* conn)
{
TRWEntry* te = getEntry(conn);
// this host was already decided on, don't do anything any more
if (te->decision != PENDING) return;
// determine if connection was a failed or successful connection attempt
// by looking if answering host sets the syn+ack bits for the threeway handshake
bool connsuccess;
if ((conn->dstTcpControlBits&(Connection::SYN|Connection::ACK))!=(Connection::SYN|Connection::ACK)) {
// no, this is not a successful connection attempt!
te->numFailedConns++;
connsuccess = false;
} else {
te->numSuccConns++;
connsuccess = true;
}
te->timeExpire = time(0) + timeExpirePending;
// only work with this connection, if it wasn't accessed earlier by this host
if (find(te->accessedHosts.begin(), te->accessedHosts.end(), conn->dstIP) != te->accessedHosts.end()) return;
te->accessedHosts.push_back(conn->dstIP);
te->S_N += (connsuccess ? X_0 : X_1);
// aggregate new connection into entry
if (te->dstSubnet==0 && te->dstSubnetMask==0xFFFFFFFF) {
te->dstSubnet = conn->dstIP;
} else {
// adapt subnet mask so that new destination ip is inside given subnet
while ((te->dstSubnet&te->dstSubnetMask)!=(conn->dstIP&te->dstSubnetMask)) {
te->dstSubnetMask = ntohl(te->dstSubnetMask);
te->dstSubnetMask <<= 1;
te->dstSubnetMask = htonl(te->dstSubnetMask);
te->dstSubnet &= te->dstSubnetMask;
}
}
DPRINTF("IP: %s, S_N: %f", IPToString(te->srcIP).c_str(), te->S_N);
// look if information is adequate for deciding on host
if (te->S_N<logeta_0) {
// no portscanner, just let entry stay here until it expires
te->timeExpire = time(0)+timeExpireBenign;
te->decision = BENIGN;
} else if (te->S_N>logeta_1) {
//this is a portscanner!
te->decision = SCANNER;
statNumScanners++;
te->timeExpire = time(0)+timeExpireScanner;
msg(MSG_DEBUG, "portscanner detected:");
msg(MSG_DEBUG, "srcIP: %s, dstSubnet: %s, dstSubMask: %s", IPToString(te->srcIP).c_str(),
IPToString(te->dstSubnet).c_str(), IPToString(te->dstSubnetMask).c_str());
msg(MSG_DEBUG, "numFailedConns: %d, numSuccConns: %d", te->numFailedConns, te->numSuccConns);
IDMEFMessage* msg = idmefManager.getNewInstance();
msg->init(idmefTemplate, analyzerId);
msg->setVariable(PAR_SUCC_CONNS, te->numSuccConns);
msg->setVariable(PAR_FAILED_CONNS, te->numFailedConns);
msg->setVariable(IDMEFMessage::PAR_SOURCE_ADDRESS, IPToString(te->srcIP));
msg->setVariable(IDMEFMessage::PAR_TARGET_ADDRESS, IPToString(te->dstSubnet)+"/"+IPToString(te->dstSubnetMask));
msg->applyVariables();
send(msg);
}
}
void RBSWormDetector::addConnection(Connection* conn)
{
RBSEntry* te = getEntry(conn);
//worms must not influence our average fanout frequency of non-worm hosts
if (te->decision == WORM) return;
// FOLLOWING CODE IS FOR BENIGN AND PENDING HOSTS
// only work with this connection, if it wasn't accessed earlier by this host
if (find(te->accessedHosts.begin(), te->accessedHosts.end(), conn->dstIP) != te->accessedHosts.end()) return;
te->accessedHosts.push_back(conn->dstIP);
//host was moved from benign to pending (for average fanouts)
if (te->switched)
{
te->switched = false;
te->startTime = conn->srcTimeStart;
}
//timeelams represents time since 1970 in milliseconds
uint64_t time_elams = conn->srcTimeStart;
//duration between last 2 packets
uint64_t intarrival = labs((int64_t) (time_elams - te->lastPacket));
//last two connection attempts where within 1 second
if (intarrival < 1000)
{
te->totalSSNum++;
te->totalSSDur += intarrival;
te->mean = (te->totalSSDur/ (double) 1000) / (double) (te->totalSSNum);
}
te->lastPacket = time_elams;
//we are still in the startup phase, dont decide on hosts
if (lambda_0 == 0) return;
// this host was already decided on, don't do anything any more
if (te->decision != PENDING) return;
// FOLLOWING CODE IS FOR PENDING HOSTS ONLY
te->timeExpire = time(0) + timeExpirePending;
te->numFanouts++;
double trace_ela = (double) (time_elams - te->startTime) / 1000;
//traceela is packet trace time in seconds
// calculate thresholds
float thresh_0 = te->numFanouts * slope_0a - slope_0b;
float thresh_1 = te->numFanouts * slope_1a - slope_1b;
//need more connections to evaluate
if (te->numFanouts < lambda_0) return;
// look if information is adequate for deciding on host
if (trace_ela>thresh_0)
{
// no worm, just let entry stay here until it expires
te->timeExpire = time(0)+timeExpireBenign;
te->decision = BENIGN;
statCurBenign++;
}
else if (trace_ela<thresh_1)
{
//this is a worm
te->decision = WORM;
statNumWorms++;
te->timeExpire = time(0)+timeExpireWorm;
msg(LOG_INFO, "Worm detected:");
msg(LOG_INFO, "srcIP: %s", IPToString(te->srcIP).c_str());
msg(LOG_INFO, "numFanOut: %d, totalTime: %f",te->numFanouts, trace_ela);
IDMEFMessage* msg = idmefManager.getNewInstance();
msg->init(idmefTemplate, analyzerId);
msg->setVariable(PAR_FAN_OUT, (uint32_t) te->numFanouts);
msg->setVariable(PAR_TOTALTIME, trace_ela);
string hosts;
list<uint32_t>::iterator iter = te->accessedHosts.begin();
while(iter != te->accessedHosts.end())
{
hosts.append(IPToString(*iter));
hosts.append(" ");
iter++;
}
msg->setVariable(PAR_HOSTS,hosts.c_str());
msg->setVariable(IDMEFMessage::PAR_SOURCE_ADDRESS, IPToString(te->srcIP));
msg->applyVariables();
send(msg);
}
}
void AutoFocus::metalist()
{
// First tree, we need at least two trees to compare data
if (m_treeCount-1 < 1)
{
msg(MSG_INFO,"meta list skipped, waiting for valuable data");
return;
}
uint32_t index = (m_treeCount-1) % numTrees;
std::list<treeNode*> meta;
std::list<report*>::iterator iter = m_treeRecords[index]->reports.begin();
//iterate through the list of each report and add nodes to a meta list if not already there
while (iter != m_treeRecords[index]->reports.end())
{
std::list<treeNode*>::iterator specit = (*iter)->specNodes.begin();
while (specit != (*iter)->specNodes.end())
{
if (find(meta.begin(),meta.end(),*specit) == meta.end())
{
meta.push_back(*specit);
}
specit++;
}
iter++;
}
//sort meta list highes priority first
meta.sort(AutoFocus::metasort);
std::list<treeNode*>::iterator metait = meta.begin();
char num[50];
ofstream myfile;
myfile.open(reportfile.c_str());
//print out the result
while (metait != meta.end())
{
std::list<report*>::iterator iter = m_treeRecords[index]->reports.begin();
myfile << "Time" << time(0) << std::endl;
myfile << "----\n";
myfile << "SUBNET ";
myfile << IPToString((*metait)->data.subnetIP).c_str();
myfile << "/";
myfile << (*metait)->data.subnetBits;
myfile << "\t\tPriority Value ";
myfile << (*metait)->prio;
std::string output;
uint64_t data;
double percentage;
double change;
double change_global;
while (iter != m_treeRecords[index]->reports.end())
{
change_global = (double) ((*iter)->numTotal * 100) / (double) m_treeRecords[(index - 1 + m_treeRecords.capacity()) % m_treeRecords.capacity()]->root->data.m_attributes[(*iter)->getID()]->numCount - 100.0;
data = (*metait)->data.m_attributes[(*iter)->getID()]->numCount;
std::string locl;
locl.append("\n");
sprintf(num,"%25s",(*iter)->global.c_str());
locl.append(num);
locl.append("\t");
sprintf(num,"%10llu",data);
locl.append(num);
locl.append(" \t");
percentage = (double) (data*100) / (double) (*iter)->numTotal;
sprintf(num,"%7.2f%%",percentage);
locl.append(" ");
locl.append(num);
treeNode* before = (*iter)->getComparismValue(*metait,m_treeRecords,index);
change = (double) (data*100) / (double) before->data.m_attributes[(*iter)->getID()]->numCount - 100.0;
locl.append("\tChange: Absolute: ");
sprintf(num,"%7.2f",change);
locl.append(num);
locl.append("\tRelative: ");
sprintf(num,"%7.2f",change_global - change);
locl.append(num);
if (find((*iter)->specNodes.begin(),(*iter)->specNodes.end(),*metait) != (*iter)->specNodes.end())
{
locl.append("\t<-------");
}
output.append(locl);
iter++;
}
myfile << output;
metait++;
}
myfile.close();
}
/**
* Calculates criterias for every host which were active during the ongoing interval
*/
void P2PDetector::onTimeout(void* dataPtr)
{
timeoutRegistered = false;
//criterias
double udpRate;
double udpHostRate;
double tcpRate;
double coexistentTCPCons;
double rateLongTCPCons;
double tcpVariance;
double failedConsPercent;
double tcpFailedRate;
double tcpFailedVariance;
//loop through all entries
for(map<uint32_t, P2PEntry>::iterator iter = hostList.begin(); iter != hostList.end(); iter++){
udpRate = ((double)(iter->second.numUDPBiFlows)) / intLength;
udpHostRate = ((double)(iter->second.contactedUDPHosts.size())) / intLength;
tcpRate = ((double)(iter->second.numTCPBiFlows)) / intLength;
coexistentTCPCons = ((double)(iter->second.sumTCPLength)) / intLength;
rateLongTCPCons = ((double)(iter->second.numLongTCPCons)) / intLength;
//tcpVariance
if(iter->second.succBiFlowStarts.size() < 3)
tcpVariance = -1;
else{
double sum = 0;
double qsum = 0;
double variance;
iter->second.succBiFlowStarts.sort();
list<uint64_t>::iterator ptr1 = iter->second.succBiFlowStarts.begin();
list<uint64_t>::iterator ptr2 = ptr1++;
for(; ptr1 != iter->second.succBiFlowStarts.end(); ptr1++, ptr2++){
sum += *ptr1 - *ptr2;
qsum += (*ptr1 - *ptr2) * (*ptr1 - *ptr2);
}
//sample variance (stichprobenvarianz) / n = succBiFlowStarts.size()-1: the differences not the starting points itself
variance = (1.0/(iter->second.succBiFlowStarts.size()-2))*(qsum - ((1.0/(iter->second.succBiFlowStarts.size()-1))*(sum*sum)));
tcpVariance = sqrt(variance)/(iter->second.succBiFlowStarts.size()-1);
}
failedConsPercent = (((double)(iter->second.numFailedTCPCons)) * 100) / iter->second.numTCPBiFlows;
tcpFailedRate = ((double)(iter->second.numFailedTCPCons)) / intLength;
//variance of failed connections
if(iter->second.failedBiFlowStarts.size() < 3)
tcpFailedVariance = -1;
else{
double sum = 0;
double qsum = 0;
double variance;
iter->second.failedBiFlowStarts.sort();
list<uint64_t>::iterator ptr1 = iter->second.failedBiFlowStarts.begin();
list<uint64_t>::iterator ptr2 = ptr1++;
for(; ptr1 != iter->second.failedBiFlowStarts.end(); ptr1++, ptr2++){
sum += *ptr1 - *ptr2;
qsum += (*ptr1 - *ptr2) * (*ptr1 - *ptr2);
}
//sample variance (stichprobenvarianz) / n = failedBiFlowStarts.size()-1: the differences not the starting points itself
variance = (1.0/(iter->second.failedBiFlowStarts.size()-2))*(qsum - ((1.0/(iter->second.failedBiFlowStarts.size()-1))*(sum*sum)));
tcpFailedVariance = sqrt(variance)/(iter->second.failedBiFlowStarts.size()-1);
}
//decide whether researched host is peer-to-peer or not
int points = 0;
if(udpRate > udpRateThreshold)
points++;
if(udpHostRate > udpHostRateThreshold)
points++;
if(tcpRate > tcpRateThreshold)
points++;
if(coexistentTCPCons > coexistentTCPConsThreshold)
points++;
if(rateLongTCPCons > rateLongTCPConsThreshold)
points++;
if((tcpVariance <= tcpVarianceThreshold) && (tcpVariance >= 0))
points++;
if(failedConsPercent > failedConsPercentThreshold)
points++;
if(tcpFailedRate > tcpFailedRateThreshold)
points++;
if((tcpFailedVariance <= tcpFailedVarianceThreshold) && (tcpFailedVariance >= 0))
points++;
//host is a p2p client
if(points > 6){
//send Message
msg(MSG_INFO, "P2P client detected:");
msg(MSG_INFO, "IP: %s, dstSubnet: %s, dstSubMask: %s", IPToString(iter->first).c_str(),
IPToString(subnet).c_str(), IPToString(subnetmask).c_str());
IDMEFMessage* msg = idmefManager.getNewInstance();
msg->init(idmefTemplate, analyzerId);
msg->setVariable("UDP_RATE", udpRate);
(udpRate > udpRateThreshold) ? msg->setVariable("TRUE1", "1") : msg->setVariable("TRUE1", "0");
msg->setVariable("UDP_HOST_RATE", udpHostRate);
(udpHostRate > udpHostRateThreshold) ? msg->setVariable("TRUE2", "1") : msg->setVariable("TRUE2", "0");
msg->setVariable("TCP_RATE", tcpRate);
(tcpRate > tcpRateThreshold) ? msg->setVariable("TRUE3", "1") : msg->setVariable("TRUE3", "0");
msg->setVariable("COEXISTENT_TCP_CONS", coexistentTCPCons);
(coexistentTCPCons > coexistentTCPConsThreshold) ? msg->setVariable("TRUE4", "1") : msg->setVariable("TRUE4", "0");
msg->setVariable("RATE_LONG_TCP_CONS", rateLongTCPCons);
(rateLongTCPCons > rateLongTCPConsThreshold) ? msg->setVariable("TRUE5", "1") : msg->setVariable("TRUE5", "0");
msg->setVariable("TCP_VARIANCE", tcpVariance);
((tcpVariance <= tcpVarianceThreshold) && (tcpVariance >= 0)) ? msg->setVariable("TRUE6", "1") : msg->setVariable("TRUE6", "0");
msg->setVariable("FAILED_CONS_PERCENT", failedConsPercent);
(failedConsPercent > failedConsPercentThreshold) ? msg->setVariable("TRUE7", "1") : msg->setVariable("TRUE7", "0");
msg->setVariable("TCP_FAILED_RATE", tcpFailedRate);
(tcpFailedRate > tcpFailedRateThreshold) ? msg->setVariable("TRUE8","1") : msg->setVariable("TRUE8", "0");
msg->setVariable("TCP_FAILED_VARIANCE", tcpFailedVariance);
((tcpFailedVariance <= tcpFailedVarianceThreshold) && (tcpFailedVariance >= 0)) ? msg->setVariable("TRUE9","1") : msg->setVariable("TRUE9", "0");
msg->setVariable("PEER_ADDRESS", IPToString(iter->first).c_str());
msg->applyVariables();
send(msg);
}
}
//new interval starts
hostList.clear();
}
void IpfixPayloadWriter::dumpEntry(Connection* conn)
{
char filename[2][100];
char idxpath[2][100];
snprintf(filename[0], 100, "%s-%04llu-%s.%d-%s.%d", filenamePrefix.c_str(),
(long long unsigned)connectionID, IPToString(conn->srcIP).c_str(), ntohs(conn->srcPort), IPToString(conn->dstIP).c_str(), ntohs(conn->dstPort));
snprintf(filename[1], 100, "%s-%04llu-%s.%d-%s.%d", filenamePrefix.c_str(),
(long long unsigned)connectionID, IPToString(conn->dstIP).c_str(), ntohs(conn->dstPort), IPToString(conn->srcIP).c_str(), ntohs(conn->srcPort));
snprintf(idxpath[0], ARRAY_SIZE(idxpath[0]), "/%04llX", (long long unsigned)(connectionID>>16));
snprintf(idxpath[1], ARRAY_SIZE(idxpath[1]), "/%02llX/", (long long unsigned)(connectionID>>8));
connectionID++;
// create paths, if needed
struct stat s;
string mkpath = path+string(idxpath[0]);
if (stat(mkpath.c_str(), &s) != 0) {
if (mkdir(mkpath.c_str(), S_IRWXU | S_IRWXG | S_IROTH | S_IXOTH)!=0)
THROWEXCEPTION("error while creating directory '%s': %s", mkpath.c_str(), strerror(errno));
}
mkpath += string(idxpath[1]);
if (stat(mkpath.c_str(), &s) != 0) {
if (mkdir(mkpath.c_str(), S_IRWXU | S_IRWXG | S_IROTH | S_IXOTH)!=0)
THROWEXCEPTION("error while creating directory '%s': %s", mkpath.c_str(), strerror(errno));
}
string filepayload[2] = { mkpath + string(filename[0]) + ".payload", mkpath + string(filename[1]) + ".payload" };
string fileinfo = mkpath + string(filename[0]) + ".info";
msg(MSG_VDEBUG, "writing files for connection %s", filename[0]);
if (stat(filepayload[0].c_str(), &s) == 0 && !filewarningIssued) {
msg(MSG_DIALOG, "files in IpfixPayloadWriter destination directory already present, overwriting ...");
filewarningIssued = true;
}
// save payload in two files
FILE* f;
char buf[500];
if (conn->srcPayload) {
f = fopen(filepayload[0].c_str(), "w+");
if (f == NULL) THROWEXCEPTION("failed to open file '%s', error: %s", filepayload[0].c_str(), strerror(errno));
if (conn->srcPayloadLen && fwrite(conn->srcPayload, conn->srcPayloadLen, 1, f) != 1)
THROWEXCEPTION("failed to write to file '%s', error: %s, 1", filepayload[0].c_str(), strerror(errno));
if (fclose(f) != 0)
THROWEXCEPTION("failed to close file '%s', error: %s, 2", filepayload[0].c_str(), strerror(errno));
}
if (conn->dstPayload) {
f = fopen(filepayload[1].c_str(), "w+");
if (f == NULL) THROWEXCEPTION("failed to open file '%s', error: %s", filepayload[1].c_str(), strerror(errno));
if (conn->dstPayloadLen && fwrite(conn->dstPayload, conn->dstPayloadLen, 1, f) != 1)
THROWEXCEPTION("failed to write to file '%s', error: %s, 3", filepayload[1].c_str(), strerror(errno));
if (fclose(f) != 0)
THROWEXCEPTION("failed to close file '%s', error: %s, 4", filepayload[1].c_str(), strerror(errno));
}
// save additional data
f = fopen(fileinfo.c_str(), "w+");
if (f == NULL) THROWEXCEPTION("failed to open file '%s', error: %s", fileinfo.c_str(), strerror(errno));
snprintf(buf, 100, "srcIP: %s\n", IPToString(conn->srcIP).c_str());
if (fwrite(buf, strnlen(buf, 100), 1, f) != 1) THROWEXCEPTION("failed to write to file '%s', error: %s", fileinfo.c_str(), strerror(errno));
snprintf(buf, 100, "dstIP: %s\n", IPToString(conn->dstIP).c_str());
if (fwrite(buf, strnlen(buf, 100), 1, f) != 1) THROWEXCEPTION("failed to write to file '%s', error: %s", fileinfo.c_str(), strerror(errno));
snprintf(buf, 100, "srcPort: %u\n", ntohs(conn->srcPort));
if (fwrite(buf, strnlen(buf, 100), 1, f) != 1) THROWEXCEPTION("failed to write to file '%s', error: %s", fileinfo.c_str(), strerror(errno));
snprintf(buf, 100, "dstPort: %u\n", htons(conn->dstPort));
if (fwrite(buf, strnlen(buf, 100), 1, f) != 1) THROWEXCEPTION("failed to write to file '%s', error: %s", fileinfo.c_str(), strerror(errno));
snprintf(buf, 100, "srcFlowTimes: %llu / %llu\n", (long long unsigned)conn->srcTimeStart, (long long unsigned)conn->srcTimeEnd);
if (fwrite(buf, strnlen(buf, 100), 1, f) != 1) THROWEXCEPTION("failed to write to file '%s', error: %s", fileinfo.c_str(), strerror(errno));
snprintf(buf, 100, "revFlowTimes: %llu / %llu\n", (long long unsigned)conn->dstTimeStart, (long long unsigned)conn->dstTimeEnd);
if (fwrite(buf, strnlen(buf, 100), 1, f) != 1) THROWEXCEPTION("failed to write to file '%s', error: %s", fileinfo.c_str(), strerror(errno));
snprintf(buf, 100, "srcOctets: %llu\n", (long long unsigned)htonll(conn->srcOctets));
if (fwrite(buf, strnlen(buf, 100), 1, f) != 1) THROWEXCEPTION("failed to write to file '%s', error: %s", fileinfo.c_str(), strerror(errno));
snprintf(buf, 100, "revOctets: %llu\n", (long long unsigned)htonll(conn->dstOctets));
if (fwrite(buf, strnlen(buf, 100), 1, f) != 1) THROWEXCEPTION("failed to write to file '%s', error: %s", fileinfo.c_str(), strerror(errno));
snprintf(buf, 100, "srcPackets: %llu\n", (long long unsigned)htonll(conn->srcPackets));
if (fwrite(buf, strnlen(buf, 100), 1, f) != 1) THROWEXCEPTION("failed to write to file '%s', error: %s", fileinfo.c_str(), strerror(errno));
snprintf(buf, 100, "revPackets: %llu\n", (long long unsigned)htonll(conn->dstPackets));
if (fwrite(buf, strnlen(buf, 100), 1, f) != 1) THROWEXCEPTION("failed to write to file '%s', error: %s", fileinfo.c_str(), strerror(errno));
snprintf(buf, 100, "protocol: %d\n", conn->protocol);
if (fwrite(buf, strnlen(buf, 100), 1, f) != 1) THROWEXCEPTION("failed to write to file '%s', error: %s", fileinfo.c_str(), strerror(errno));
snprintf(buf, 100, "srcPayloadLen: %d\n", conn->srcPayloadLen);
if (fwrite(buf, strnlen(buf, 100), 1, f) != 1) THROWEXCEPTION("failed to write to file '%s', error: %s", fileinfo.c_str(), strerror(errno));
snprintf(buf, 100, "dstPayloadLen: %d\n", conn->dstPayloadLen);
if (fwrite(buf, strnlen(buf, 100), 1, f) != 1) THROWEXCEPTION("failed to write to file '%s', error: %s", fileinfo.c_str(), strerror(errno));
if (conn->srcPayload != 0) {
snprintf(buf, 100, "nicePayload: ");
if (fwrite(buf, strnlen(buf, 100), 1, f) != 1) THROWEXCEPTION("failed to write to file '%s', error: %s", fileinfo.c_str(), strerror(errno));
if (conn->srcPayloadLen>0) {
uint32_t buflen = (conn->srcPayloadLen > ARRAY_SIZE(buf) ? ARRAY_SIZE(buf) : conn->srcPayloadLen);
memcpy(buf, conn->srcPayload, buflen);
for (uint32_t i=0; i<buflen && i<conn->srcPayloadLen; i++) {
if (!isprint(buf[i])) buf[i] = '.';
}
if (fwrite(buf, buflen, 1, f) != 1) THROWEXCEPTION("failed to write to file '%s', error: %s", fileinfo.c_str(), strerror(errno));
}
if (fwrite("\n", 1, 1, f) != 1) THROWEXCEPTION("failed to write to file '%s', error: %s", fileinfo.c_str(), strerror(errno));
}
if (conn->dstPayload != 0) {
snprintf(buf, 100, "revNicePayload: ");
if (fwrite(buf, strnlen(buf, 100), 1, f) != 1) THROWEXCEPTION("failed to write to file '%s', error: %s", fileinfo.c_str(), strerror(errno));
if (conn->dstPayloadLen>0) {
uint32_t buflen = (conn->dstPayloadLen > ARRAY_SIZE(buf) ? ARRAY_SIZE(buf) : conn->dstPayloadLen);
memcpy(buf, conn->dstPayload, buflen);
for (uint32_t i=0; i<buflen && i<conn->dstPayloadLen; i++) {
if (!isprint(buf[i])) buf[i] = '.';
}
if (fwrite(buf, buflen, 1, f) != 1) THROWEXCEPTION("failed to write to file '%s', error: %s", fileinfo.c_str(), strerror(errno));
}
if (fwrite("\n", 1, 1, f) != 1) THROWEXCEPTION("failed to write to file '%s', error: %s", fileinfo.c_str(), strerror(errno));
}
if (fclose(f) != 0) THROWEXCEPTION("failed to close file '%s', error: %s", fileinfo.c_str(), strerror(errno));
}